RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
Hey Larry- hope everything's going well...=20
When you've got a systemic vulnerability, in this case the TCP/IP stack its=
elf, exploitation information must be explicit and definitive. I'm fine wi=
th risk classification, and I appreciate efforts to categorize risk into ma=
nageable exposure metrics, but we shouldn't have to infer potential vulnera=
bility information from vague disclosure data. I know many response teams =
base patch paths on the published severity, but one also has to be able to =
make decisions on their own. For me, no big deal. But it's not that simpl=
e for others. =20
But there's not enough information for me to make that call. Is it for ANY=
"listening service?" TCP or UPD? Does the "statefull" firewall introduce=
d in subsequent versions stop it?
The answers are "yes," "yes," and "no." They should just say that. Is it =
"low" because the firewall doesn't have any exceptions by default? If so, =
that's silly. Everyone using XP for anything has incoming connections for =
something, and well known if on a domain. I feel sorry for Diebold and NEC=
with all the ATMs out there running XP, but fortunately, I'm not responsib=
le for clients using their systems anymore :)=20
Anyway, the DoS suxx0rz, but I'm more irritated with the lack of real, stra=
ight-forward, no-nonsense information and technical sleight of hand. The i=
nformation should be painfully obvious, not obviously painful.
t=20
> -----Original Message-----
> From: Larry Seltzer [mailto:larry@larryseltzer.com]
> Sent: Wednesday, September 16, 2009 8:21 AM
> To: Thor (Hammer of God); Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: RE: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> I agree that the FAQ explanation in the advisory is vague about what
> protection the firewall provides. One clue I would infer about it is
> that they rated this a "Low" threat. If it were vulnerable in the
> default configuration, with the firewall (or some other firewall) on,
> they probably would have rated it at least Medium. If I'm wrong about
> that then the "Low" rating is misleading.
>=20
> Larry Seltzer
> Contributing Editor, PC Magazine
> larry_seltzer@ziffdavis.com
> http://blogs.pcmag.com/securitywatch/
>=20
>=20
> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Thor
> (Hammer of God)
> Sent: Wednesday, September 16, 2009 11:00 AM
> To: Eric C. Lukens; bugtraq@securityfocus.com
> Cc: full-disclosure@lists.grok.org.uk
> Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
>=20
> Thanks for the link. The problem here is that not enough information
> is
> given, and what IS given is obviously watered down to the point of
> being
> ineffective.
>=20
> The quote that stands out most for me:
> <snip>
> During the Q&A, however, Windows users repeatedly asked Microsoft's
> security team to explain why it wasn't patching XP, or if, in certain
> scenarios, their machines might be at risk. "We still use Windows XP
> and
> we do not use Windows Firewall," read one of the user questions. "We
> use
> a third-party vendor firewall product. Even assuming that we use the
> Windows Firewall, if there are services listening, such as remote
> desktop, wouldn't then Windows XP be vulnerable to this?"
>=20
> "Servers are a more likely target for this attack, and your firewall
> should provide additional protections against external exploits,"
> replied Stone and Bryant.
> </snip>
>=20
> If an employee managing a product that my company owned gave answers
> like that to a public interview with Computerworld, they would be in
> deep doo. First off, my default install of XP Pro SP2 has remote
> assistance inbound, and once you join to a domain, you obviously accept
> necessary domain traffic. This "no inbound traffic by default so you
> are not vulnerable" line is crap. It was a direct question - "If RDP
> is
> allowed through the firewall, are we vulnerable?" A:"Great question.
> Yes, servers are the target. A firewall should provide added
> protection, maybe. Rumor is that's what they are for. Not sure
> really.
> What was the question again?"
>=20
> You don't get "trustworthy" by not answering people's questions,
> particularly when they are good, obvious questions. Just be honest
> about it. "Yes, XP is vulnerable to a DOS. Your firewall might help,
> but don't bet on it. XP code is something like 15 years old now, and
> we're not going to change it. That's the way it is, sorry. Just be
> glad
> you're using XP and not 2008/vista or you'd be patching your arse off
> right now."
>=20
> If MSFT thinks they are mitigating public opinion issues by
> side-stepping questions and not fully exposing the problems, they are
> wrong. This just makes it worse. That's the long answer. The short
> answer is "XP is vulnerable to a DoS, and a patch is not being
> offered."
>=20
> t
>=20
>=20
>=20
> > -----Original Message-----
> > From: full-disclosure-bounces@lists.grok.org.uk [mailto:full-
> > disclosure-bounces@lists.grok.org.uk] On Behalf Of Eric C. Lukens
> > Sent: Tuesday, September 15, 2009 2:37 PM
> > To: bugtraq@securityfocus.com
> > Cc: full-disclosure@lists.grok.org.uk
> > Subject: Re: [Full-disclosure] 3rd party patch for XP for MS09-048?
> >
> > Reference:
> >
> >
> http://www.computerworld.com/s/article/9138007/Microsoft_No_TCP_IP_patc
> > hes_for_you_XP
> >
> > MS claims the patch would require to much overhaul of XP to make it
> > worth it, and they may be right. Who knows how many applications
> might
> > break that were designed for XP if they have to radically change the
> > TCP/IP stack. Now, I don't know if the MS speak is true, but it
> > certainly sounds like it is not going to be patched.
> >
> > The other side of the MS claim is that a properly-firewalled XP
> system
> > would not be vulnerable to a DOS anyway, so a patch shouldn't be
> > necessary.
> >
> > -Eric
> >
> > -------- Original Message --------
> > Subject: Re: 3rd party patch for XP for MS09-048?
> > From: Jeffrey Walton <noloader@gmail.com>
> > To: nowhere@devnull.com
> > Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
> > Date: 9/15/09 3:49 PM
> > > Hi Aras,
> > >
> > >
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue,
> > >>
> > > Can you cite a reference?
> > >
> > > Unless Microsoft has changed their end of life policy [1], XP
> should
> > > be patched for security vulnerabilities until about 2014. Both XP
> > Home
> > > and XP Pro's mainstream support ended in 4/2009, but extended
> support
> > > ends in 4/2014 [2]. Given that we know the end of extended support,
> > > take a look at bullet 17 of [1]:
> > >
> > > 17. What is the Security Update policy?
> > >
> > > Security updates will be available through the end of the
> > Extended
> > > Support phase (five years of Mainstream Support plus five years
> > of
> > > the Extended Support) at no additional cost for most products.
> > > Security updates will be posted on the Microsoft Update Web
> site
> > > during both the Mainstream and the Extended Support phase.
> > >
> > >
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because it's a lot of work" rhetoric...
> > >>
> > > Not at all.
> > >
> > > Jeff
> > >
> > > [1] http://support.microsoft.com/gp/lifepolicy
> > > [2] http://support.microsoft.com/gp/lifeselect
> > >
> > > On Tue, Sep 15, 2009 at 2:46 PM, Aras "Russ" Memisyazici
> > > <nowhere@devnull.com> wrote:
> > >
> > >> Hello All:
> > >>
> > >> Given that M$ has officially shot-down all current Windows XP
> users
> > by not
> > >> issuing a patch for a DoS level issue, I'm now curious to find out
> > whether
> > >> or not any brave souls out there are already working or willing to
> > work on
> > >> an open-source patch to remediate the issue within XP.
> > >>
> > >> I realize some of you might be tempted to relay the M$ BS about
> "not
> > being
> > >> feasible because it's a lot of work" rhetoric... I would just like
> > to hear
> > >> the thoughts of the true experts subscribed to these lists :)
> > >>
> > >> No harm in that is there?
> > >>
> > >> Aras "Russ" Memisyazici
> > >> Systems Administrator
> > >> Virginia Tech
> > >>
> > >>
> > >>
> >
> > --
> > Eric C. Lukens
> > IT Security Policy and Risk Assessment Analyst
> > ITS-Network Services
> > Curris Business Building 15
> > University of Northern Iowa
> > Cedar Falls, IA 50614-0121
> > 319-273-7434
> > http://www.uni.edu/elukens/
> > http://weblogs.uni.edu/elukens/
> >
> >
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>=20
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
討論串 (同標題文章)
完整討論串 (本文為第 4 之 7 篇):